Recently we our operation team found that accounts that are running Joomla and WordPress applications are being hacked. Most start with an automated scanner tool that scans for specific versions of Joomla and specific extensions versions. (Same with wordpress and others) Once vulnerabilities are identified then one of the below is used to gain access.

Here’s the main cause of it:

The _MACOSX folder is automatically generated when files are zipped on an Apple computer. Because the use of Mac you will find them after unzipping your downloaded Zip-archive on a Windows PC. Simply forget about this folder. You don´t need it.

Whats with __MACOSX in Zip files?

Recently people are using Mac’s for development these days. Most core developers from some of the leading web frameworks use Mac as their primary development platform. Several plugin and theme authors for WordPress also develop on Mac. This is good thing but also has side effects of this development.

The easiest way to archive something on Mac is to right click on directory of choice in Finder and select “Archive as…”. This creates a Zip file, which then the developer can distribute to users. After this procedure another folder suspiciously named”%%__MACOSX%%” gets created at the root of Zip archive. Bellow is an example:

==================================================================

/funvilla/wp-content/oqey_gallery/skins/__MACOSX

/images/stories/Halloween/__MACOSX

/wp-content/plugins/uBillboard/__MACOSX

/public_html/tmp/install_4a5e043578f85/__MACOSX

==================================================================

This folder contains other things, thumbnail for images in the original archive. These kind of unwanted undesirable things are really not necessary. It’s okay, try to keep cool. Bellow we are presenting a systematic analysis of what Mac OSX does is wrong, stupid and unnecessary:

In WordPress themes directory, if each theme starts creating its own”%%__MACOSX%%” folder, then themes directory would soon get crowded with useless garbage. This, creating an entire tree structure in the archive just breaks things in more ways. Example: each WordPress theme starts creating”%%__MACOSX%%” folders in the root of the archive. As a result the new theme will also try to extract in the”%%__MACOSX%%” folder. Not only this, some programs like Gallery ( Joomla ) also have the ability to load plugins/images directly from Zip files. Hence, people end up with unwanted images, themes and plugins in setup. This might just break the installation. Again, one did not explicitly create that folder. If someone creates a virus, that just modifies the default zip program on Mac to sneak in malicious payload via the”%%__MACOSX%%” folders in any new Zip archives, it’s a security risk.

This way we encountered that all the data inside”%%__MACOSX%%” folder is created from directory itself. No external information is used / needed. Think why anyone would ever need such new folder. The zip file has been produced on a system running Mac OSX, they’re irrelevant files (mac filesystem metadata) one can just delete the directory.

Next, we also encountered the Vulnerability Found in timthumb.php

We found a vulnerability in a popular image resizing library called TimThumb, used in many WordPress and Joomla themes and plugins. This allows one ( HACKER ) to upload and execute despotic PHP code in the TimThumb cache directory. Once, PHP code is uploaded and executed, any site can be compromised as per the HACKER.
We strongly recommend deleting timthumb.php / thumb.php / createthumb.php / showthumb.php / class.img2thumb.php / action.changethumb.php like file from the account. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory.
Still, one wish to use the TimThumb, then make sure to update the file the latest version and remember to check the TimThumb site regularly for updates. One should also set ALLOW_EXTERNAL to false and find the $allowedSites array inside the file and remove the domain names to prevent remote file downloading.

Please make sure it is as follows:

define( ‘ALLOW_EXTERNAL’, false );

Then make changes as following:

$allowedSites = array (

        'flickr.com',

        'picasa.com',

        'img.youtube.com',

        'upload.wikimedia.org',

);

Change it to look like bellow:

$allowedSites = array();

Always be sure to use the built-in WordPress functions for Themes and Plugins such as: add_image_size to resize images.

Kind Regards,
Daniel Smith
Level II Support Department
http://www.WebHost.Uk.Net
http://www.WebHosting.Uk.Net
Support Portal: https://secure.webhost.uk.net

Technorati Tags: Gallery, Joomla, Joomla Hack, Joomla Sites Hack, Joomla Vulnerability, MACOSX Vulnerability, Plugins, Themes, TimThumb Vulnerability, TimThumb.php file issue, WordPress, WordPress Hack, WordPress Plugins, WordPress Sites Hack, WordPress Themes, WordPress Vulneracility

cPanel PCI Compliance Step 1

First thing first, run a package update.

yum -y update

If it installed a new kernel, reboot the server so the new kernel takes affect. If its a live production server you may want to wait until an off-peak hour to do the reboot and continue with this article.

cPanel PCI Compliance Step 2

Now that you have the OS packages secure, its time to setup a firewall if you don’t have one already.

A good free IPtables based firewall is the APF (Advanced Policy Firewall) firewall from RF-X Networks, you can download that here:

wget http://www.rfxn.com/downloads/apf-current.tar.gz

While your at it, get and install the BFD (Brute Force Detector) and LSM (Linux Socket Monitor) which are also available on the RF-X Networks site.

The main things you want to configure are the allowed ports in the APF config file, both ingress AND egress, and then you want to setup an ACL by using the allow and deny hosts files that come with APF. For the ACL’s you want to block everything you don’t want public access to, but still need certain IPs to access. For example SSH, cPanel, WHM, and maybe webmail. For example your allow line for cpanel will look like this:

tcp:in:d=2083:s=123.123.123.123

Noticed, we used port 2083 and not the insecure cpanel port 2082, which we have blocked in the APF config file. And then so you have a deny from all that are not explicitly allows, add this to the deny hosts file:

tcp:in:d=2083:s=0/0

The reasoning behind this is to not even give anyone a chance to get in, if #1, they have your password, #2, they are trying to brute force their way in, #3, there is an exploit in which they are able to bypass the authentication means.

cPanel PCI Compliance Step 3

Back to Linux hardening, you want to do a few things here, first disable any unused packages/services, for example cups and portmap, delete any unneeded users, disable shell for any users that don’t need it in /etc/passwd.

You also want to change the SSH port, disable SSH version 1, and disallow direct root login:

pico /etc/ssh/sshd_config

Remember to allow the new SSH port in the APF config file, and add an underprivileged user to the wheel group, so you can su to root. and then restart the firewall and sshd.

cPanel PCI Compliance Step 4

Run a couple cpanel scripts, the first upcp, and the second easyapache. For upcp its recommend to use the “current” build, this is set in the update config in WHM.

/scripts/upcp

Remember to run upcp before running easyapache

/scripts/easyapache

When running easyapache, select the latest apache and PHP versions, and also ensure the following PHP options are checked:
CGI
Mod suPHP
suhosin fo PHP
Mod Security

This will ensure the most secure way to run PHP.

cPanel PCI Compliance Step 5

Install a ModSecurity rule set, ModSecurity, your layer 7, Web Application Firewall (WAF) is only as good as the rule set you are using. GotRoot.com is a good place for free ModSecurity rules.

wget http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz

Download, untar and install the different rules files, and then test and edit if needed.

cPanel PCI Compliance Step 6

The next step is to disable dangerous and PCI unfriendly PHP functions. For example a phpinfo page will cause you to fail a PCI scan. You disable line should contain at least the following functions:

phpinfo,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,
show_source,escapeshellarg,escapeshellcmd,inject_code

cPanel PCI Compliance Step 7

Now its time to go to WHM. There are a number of built-in WHM security features, and PCI friendly features.
Going down the list on the left hand side of WHM you want to look at:

Apache mod_userdir Tweak – Here Check “Enable mod_userdir Protection” and click save
Compiler Access – Click “Disable Compilers”
Configure Security Policies – Check the first 3 and next 2 if necessary, and click save
cPHulk Brute Force Protection – Enable cPhulk, and under White/Black list Management enter your IP(s)
Password Strength Configuration – Set this to 100
PHP open_basedir Tweak – Check “Enable php open_basedir Protection.” click save
Shell Fork Bomb Protection – Click “Enable Protection”
SMTP Tweak – Click “Disable”

Apache Configuration–>Global Configuration
- For SSLCipherSuite Change the + by Medium to a -, you line should look like this “ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP”
- Set TraceEnable and ServerSignature to Off
- Set ServerTokens to ProductOnly
- Set FileETag to None
- For Directory ‘/’ Options uncheck “indexes”

Now click save, then click Rebuild Configuration and Restart Apache
For Manage Service SSL Certificates, make sure all your services have a valid SSL cert
Under Service Manager, disable any services you don’t need, for example if you don’t have your database on this server, disable mySQL, if you don’t use it for email, disable the email related services

cPanel PCI Compliance Step 8

In order to pass a PCI scan your server must have at least one SSL certificate signed by a recognized certificate authority, and any services using SSL need to be using a certificate as well. Buy a decent 128 / 256 bit  SSL certificate and install it not just for Apache, but also for all of your active services. WebHost Manager has a section for installing service SSL certificates to make this process easier.

cPanel PCI Compliance Step 9

Finally document your versions. A part of your PCI docs file, you should have a screen shot of the version you are running of at least the following:
Apache, PHP, ModSecurity, Linux Kernel, CentOS, OpenSSH, and OpenSSL. Your output will look something like this:

root@server [/]# httpd -v
Server version: Apache/2.2.17 (Unix)
Server built: Dec 14 2010 17:23:57
Cpanel::Easy::Apache v3.2.0 rev5277

root@server [/]# php -v
PHP 5.3.4 (cli) (built: Dec 14 2010 17:30:39)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with the ionCube PHP Loader v3.3.20, Copyright (c) 2002-2010, by ionCube Ltd.
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

root@server [/]# uname -r
2.6.18-194.32.1.el5

root@server [/]# cat /etc/redhat-release
CentOS release 5.5 (Final)

root@server [/]# cat /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c
|grep MODULE_RELEASE |head -1
#define MODULE_RELEASE “1.9.5″

root@server [/]# rpm -qa |grep openssl
openssl-devel-0.9.8e-12.el5_5.7
openssl-0.9.8e-12.el5_5.7

root@server [/]# rpm -qa |grep openssh
openssh-4.3p2-41.el5_5.1
openssh-server-4.3p2-41.el5_5.1
openssh-clients-4.3p2-41.el5_5.1

Since RedHat type operating systems, including CentOS and Fedora, use backporting for OpenSSH and OpenSSL, you may get a false positive on your PCI scan for these. If that happens to you, send the screen shots showing your OpenSSH, OpenSSL, as well as your CentOS version and kernel version to your PCI scanner and let them know your a running a seucre, backported version, and request that they test that version manually.
If your PCI ASV requests more proof you are running a secure version of OpenSSH and OpenSSL, you can send them a screen shot of the following commands, which show specifically what patches have been applied to your version.

rpm -q --changelog openssh | head -50
rpm -q --changelog openssl | head -50

This will produce output similar to:

# rpm -q --changelog openssl | head -50
* Tue Dec 07 2010 Tomas Mraz 0.9.8e-12.7
- fix CVE-2010-4180 - completely disable code for
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)

* Fri Mar 12 2010 Tomas Mraz 0.9.8e-12.6
- fix CVE-2009-3245 – add missing bn_wexpand return checks (#570924)
(output truncated)

Another common false positive with cPanel servers, is your scan might detect Exim as an open relay, this is because the server will sending the mail headers before authentication, even though a successful authentication is needed before it will allow email to go through. If this shows up on your scan you will want to ask the scanning vendor to test this vulnerability manually.

We hope you have enjoyed this article and found it useful for helping make your cPanel Linux server PCI compliant. Please remember to try and test the steps listed here on a test server before applying them to your production cPanel servers. In addition this article does not cover everything your need to do to be PCI compliant, and it meant to be a starting point, and provide information for a cPanel, CentOS specific server. We plan on bringing your future articles and howto’s to cover the PCI compliant information missing from this article.

Technorati Tags: Best UK Web Hosting 2011, Britain Web Hosting, England Web Hosting, fasthosts Alternative, Godaddy Alternative, London Web Hosting, PCI Compliant, Top UK Web Hosting 2011, UK2 alternative, Web Hosting 2011, WebHosting UK alternative

Signup for any of our shared linux hosting, shared windows hosting, reseller linux hosting or reseller windows hosting for two years and get one additional year absouletely free..

Shared Linux Web Hosting plans : http://www.webhost.uk.net/shared_hosting.html

Shared Windows Web Hosting plans : http://www.webhost.uk.net/shared_win_hosting.html

Reseller Linux Web Hosting Plans : http://www.webhost.uk.net/reseller_hosting.html

Reseller Windows Web Hosting plans : http://www.webhost.uk.net/reseller_win_hosting.html

To claim your one year of free hosting, simply signup binennially for any of our shared or reseller web hosting plans and once your order is approved and accepted, the one additional year will be added to your account absouletely free of charge – which means you will be able to host your websites for 3 years by paying just for two years..

Additionally get free goodies and features such as :

• Free domain names
• Free SSL certificates (on selective shared and reseller hosting plans)
• Free Dedicated IP’s (on selective shared and reseller hosting plans)
• Free WHMCS billing system (on selective shared and reseller hosting plans)
• Free Vision helpdesk license (on reseller web hosting plans)
• Free ENOM reseller accounts (on reseller web hosting plans)
• Free private labelled nameservers (on reseller web hosting plans)
• Free Rvskin and Rvsitebuilder softwares (on Linux plans)
• Free account migration
• 24/7 lightening fast live chat and ticket support

So why wait for this limited opportunity to pass away when your business and websites can be secured with one of the UK’s most reliable and stable web hosting company http://www.webhost.uk.net

WEBHOSTUK LIMITED also offers cheap and reliable cpanel vps and dedicated servers, hosted in UK datacenter at http://www.webhosting.uk.net

Location : London, United Kingdom

WEBHOST.UK.NET is proud to announce the availability of .co TLD domains on their website for purchase.

.CO is the new domain extension for companies and people who are for looking for a brand online presence for their corporate identity. With a truly global recognition, and credible domain name after limited choices of the .com domain, now this is your chance to get one of your favourite domain with .co extension and give a unique online identity to your company.

For all practical purposes, .co domains are the same as .com domains; that means they are available to everyone and come on a first-come, first-serve basis. One of the biggest advantages of the .co TLDs, besides the fact that they’re similar to .com TLDs, is the fact that they are already widely recognized. More than 20 countries, including the UK (.co.uk) and Japan (.co.jp), already use them for their country-specific domains.

Abbie Clayton, Head of Business Development for WEBHOSTUK LTD further added, “We get regular requests from customers who wish to create a unique online presence for their company, but the limited choices of .com, .net .co.uk domains, they always had to compromise while choosing the domain name. Now that our Domain Partner ENOM has made the .co domains available for purchase, we thought of passing over the once in a lifetime opportunity to our customers..”

She further added “The advantage of purchasing company-associated domain names is that it can optimize your company web presence, and could increase profitability as more potential customers are directed to your .co websites.”

The .co domain can be ordered by visiting the company domain check url https://secure.webhost.uk.net/domainchecker.php

About WEBHOSTUK LTD:

WEBHOSTUK LTD is one of the leading UK web hosting companies offering their shared web hosting, reseller hosting, vps and managed dedicated hosting solutions at cheap and affordable rates. Company claims to offer 24/7 live chat and email support offering their shared web hosting packages under the name of http://www.webhost.uk.net and managed vps & dedicated hosting solutions under the name of http://www.webhosting.uk.net.

The launch of these new range of managed servers will now give the best dedicated hosting experience to small, medium and large business models. The company now offers free managed services along with all their dedicated server series to make things simple and easy to manage for their end user clients.

The servers reside in one of the finest World-class data centers and are connected by redundant gigabit connections. All servers come with generous bandwidth allocations and superb network backbones supported with Webhostuk Limited‘s commitment to offer unmatched service and support, which helps the customers to deliver superior level of service and consistency to their end-users and achieve greater profitability. All servers are available in both Linux and Windows configurations with the choice of award winning control panel – WHM/cpanel and Parallels Plesk. A range of additional services and features such as dedicated IP’s, additional drive storage, RAID arrays, SSL certificates etc, can be added by the customer to suit their exact requirements.

Abbie Clayton, Head of Business Development, Webhostuk Limited, says “Big, small, short, tall; Webhost.uk.net continually strives to offer the best possible server solutions, equipped with the latest processing power. Our robust series of managed dedicated servers are capable and ready to meet the ever growing needs of web hosting customers and their business. We now offer managed services free of charge so that our customers can solely concentrate on the productivity of their business and revenues .

Webhostuk Limited‘s dedicated servers range (http://www.webhosting.uk.net) is backed by 24×7 technical support (Email and Live Chat), offering a 100% SLA network uptime guarantee.

If you respond to this letter, your domain will be transferred to the Domain Renewal Group, and WEBHOSTUK LIMITED will no longer be the registrar for your domain. The Domain Renewal Group charges much more for domains: £20 a year in comparison to our £9.99 GBP a year for .COM/.NET/.ORG domains.

If you receive a letter from Domain Renewal Group, we recommend you ignore the letter and simply throw it away. Here is a sample letter:

Trying to identify a web host can be a very daunting task especially when there are so many available nowadays and all of them promise one thing or another. Hence, it is crucial that before you jump in, you do your own homework or research for selecting the most appropriate web hosting company for your website.

With the changing trend of technology, web hosts are also changing. Most of them provide various services in addition to their basic ones. Say if you are running an e-commerce website, then of course you need high end security and a medium through which you can manage your web content efficiently. There are many tools that facilitate this, however if your web hosting service is not reliable then you can miss out on serious revenues and prospective clients.

Once you have determined and identified what web hosting services you require for your online business, it is then time to enlist certain web hosting features and options you must consider. You can find below some of the most important aspects of web hosting:

Disk space and bandwidth

You should know how much space your website would need and approximate data it will generate. When we talk about disk space, well, it’s actually the amount of storage assigned to you by the web hosting provider. The bandwidth is the amount of traffic that is allowed to access and leave your website. In case your website has a lot of graphics then you would require higher storage area and greater bandwidth.

Programming tools and the OS

You need to be sure that your website is uploaded through secure servers using the latest Operating System. Most web hosts run on a UNIX based operating system, usually Linux or BSD. For the running of various web applications you would require ASP, .NET, MS SQL, SBS and for these you need a Window based host.

Pricing Aspect

You need to compare pricing before you finalize a web hosting service. Some may provide you better services but at low pricing. It’s not always true that the best hosting services are always the most expensive. Do your research and then finalize.

Support, Security, Guaranteed uptime and Backups

Security and backups are two very important aspects that you need to consider. You should always choose a web hosting service with reliable telephone support. Some also offer 24/7 support through local or toll-free numbers. In case you are running an ecommerce website then security is one aspect that you just cannot discard. Your web hosting service provider should be such that they can monitor things round the clock and ensure no unwanted intruder can hack your site. After all it’s your website and it is really worth looking into this aspect of web hosting.

Technorati Tags: Cheap web hosting, linux web host, reliable web hosting, Windows Web Hosting

An IPS TAG is a unique identifier given to each Tag-Holder with Nominet (the registry for all UK domain names). Tag-Holders are the ‘Domain Name Companies‘ that provide domain name registration services. They include specialist domain name companies, hosting companies, ISP’s and others such as web designers. The tag is used to identify the company responsible for the management of a .uk domain. It is a single alpha-numeric sequence, in uppercase, sometimes hyphenated.

If you want a different company to “look after your domain names” you can do this by changing your IPS Tag. For changing the IPS Tag you need to contact the company where you have registered the domain name and ask them to change the TAG to the TAG of your new provider. Some companies will charge a small fee for this change and are reluctant to “let you go” and want reasons for the change. The company you change your domain name to will provide you with their IPS TAG which you need to hand over to the current company, so that they can make the change. The new company might charge a small fee too for transferring a domain name to their business.

Technorati Tags: IPS TAG

The Domain Name System or Servers (DNS), is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember handle for an Internet address. Internet domain names are the names which we use to refer to hosts on the Internet, such as www.webhost.uk.com while internet protocol addresses are the numbers which routers use to move traffic across the Internet, such as 197.71.123.219 DNS is part of the application layer of the TCP/IP reference model. DNS is implemented using two software components: the DNS server and the DNS client (or resolver).

If you have a domain name with www.123-reg.co.uk, and your webhosting is with www.webhost.uk.com (for example), the domain name servers would have to be changed to ns1.webhost.uk.com and ns2.webhost.uk.com. Your domain name needs to “know” where your website files are. By pointing the DNS to the servers of
webhositng uk, your website will be displayed.

Technorati Tags: DNS: Domain Name System or Servers

Digg is a popular social bookmarking and content discovery website. Although site management and maintenance is done the website’s paid staff, everything on digg is submitted by the digg user community. These submissions are subject to peer review and are voted upon by other site visitors. The stories receiving enough diggs is posted on the websites front page, for the millions of digg visitors to see. According to Alexa, Digg is one of the most popular websites on the internet, reaching 1 out of every 100 internet users daily.

How to submit stories?

Submitting stories to digg is very easy. To submit stories you have to be a registered member of the digg, once you have registered and signed in, just click on the option submit story and then enter the URL of the story which you would like to submit. Then enter the title of the story with a short description and select the proper category for the story. You are only allowed to digg only original story and not any duplicate entry.

What can you do as a digg user?

Every digg user can digg (help promote), bury (help remove spam), and comment on stories. You can even digg and bury comments you like or dislike. Digg also allows you to track your friends’ activity throughout the site.

Technorati Tags: What is Dig